diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-14 09:07:32 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 16:49:23 -0700 |
commit | 26dc23446c2e7818fdebfb46e101bac4883df07e (patch) | |
tree | bab75f1eaf8aba027fbcbf12120d9d669e0d2ee1 | |
parent | f6030dd569094fb29720a4bf54aec784b1edcac5 (diff) |
Sign extension issue and integer overflow in FSOpenServer() [CVE-2013-1996]
> altlen = (int) *ad++; <-- if char is 0xff, will sign extend to int (0xffffffff == -1)
> alts[i].name = (char *) FSmalloc(altlen + 1); <-- -1 + 1 == 0
> ...
> memmove(alts[i].name, ad, altlen); <-- memory corruption
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/FSOpenServ.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c index f1a6157..15a657a 100644 --- a/src/FSOpenServ.c +++ b/src/FSOpenServ.c @@ -111,10 +111,10 @@ FSOpenServer(const char *server) char *setup = NULL; fsConnSetupAccept conn; char *auth_data = NULL; - char *alt_data = NULL, + unsigned char *alt_data = NULL, *ad; AlternateServer *alts = NULL; - int altlen; + unsigned int altlen; char *vendor_string; unsigned long setuplength; @@ -157,7 +157,7 @@ FSOpenServer(const char *server) setuplength = prefix.alternate_len << 2; if (setuplength > (SIZE_MAX>>2) - || (alt_data = (char *) + || (alt_data = (unsigned char *) (setup = FSmalloc(setuplength))) == NULL) { goto fail; } @@ -176,7 +176,7 @@ FSOpenServer(const char *server) } for (i = 0; i < prefix.num_alternates; i++) { alts[i].subset = (Bool) *ad++; - altlen = (int) *ad++; + altlen = (unsigned int) *ad++; alts[i].name = FSmalloc(altlen + 1); if (!alts[i].name) { while (--i) { |